AWS cdk documentation change
Summary
Clarified security implications of bootstrap template permissions and trust configuration
Security assessment
The change emphasizes proper configuration of trusted accounts and policies but does not address a specific security vulnerability or introduce new security features. It reinforces existing security best practices without concrete evidence of a resolved issue.
Diff
diff --git a/cdk/v1/guide/bootstrapping.md b/cdk/v1/guide/bootstrapping.md index 65b79c72f..37e9ea3e9 100644 --- a//cdk/v1/guide/bootstrapping.md +++ b//cdk/v1/guide/bootstrapping.md @@ -224 +224 @@ To avoid deployment failures, be sure the policies you specify are sufficient fo -The modern bootstrap template effectively grants the permissions implied by the `--cloudformation-execution-policies` to any AWS account in the `--trust` list, which by default will extend permissions to read and write to any resource in the bootstrapped account. Make sure to configure the bootstrapping stack with policies and trusted accounts you are comfortable with. +The modern bootstrap template effectively grants the permissions implied by the `--cloudformation-execution-policies` to any AWS account in the `--trust` list. By default, this extends permissions to read and write to any resource in the bootstrapped account. Make sure to configure the bootstrapping stack with policies and trusted accounts that you are comfortable with.